1 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch
new file mode 100644
index 0000000000..281b6486a8
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch
@@ -0,0 +1,60 @@
+From 8673ca81e5340b87709db2d9749c92a3bf925df1 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 13 Apr 2023 15:40:44 -0700
+Subject: [PATCH] html/template: disallow angle brackets in CSS values
+Angle brackets should not appear in CSS contexts, as they may affect
+token boundaries (such as closing a <style> tag, resulting in
+injection). Instead emit filterFailsafe, matching the behavior for other
+dangerous characters.
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+Fixes #59720
+Fixes CVE-2023-24539
+Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/491615
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Run-TryBot: Carlos Amedee <carlos@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Upstream-Status: Backport from [https://github.com/golang/go/commit/8673ca81e5340b87709db2d9749c92a3bf925df1]
+CVE: CVE-2023-24539
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+---
+ src/html/template/css.go      | 2 +-
+ src/html/template/css_test.go | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+diff --git a/src/html/template/css.go b/src/html/template/css.go
+index 890a0c6b227fe..f650d8b3e843a 100644
+--- a/src/html/template/css.go
+++ b/src/html/template/css.go
+@@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string {
+        // inside a string that might embed JavaScript source.
+        for i, c := range b {
+                switch c {
+-               case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}':
+               case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>':
+                        return filterFailsafe
+                case '-':
+                        // Disallow <!-- or -->.
+diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go
+index a735638b0314f..2b76256a766e9 100644
+--- a/src/html/template/css_test.go
+++ b/src/html/template/css_test.go
+@@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) {
+                {`-exp\000052 ession(alert(1337))`, "ZgotmplZ"},
+                {`-expre\0000073sion`, "-expre\x073sion"},
+                {`@import url evil.css`, "ZgotmplZ"},
+               {"<", "ZgotmplZ"},
+               {">", "ZgotmplZ"},
+        }
+        for _, test := range tests {
+                got := cssValueFilter(test.css)

diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch new file mode 100644 index 0000000000..281b6486a8 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch
@@ -0,0 +1,60 @@
	1	From 8673ca81e5340b87709db2d9749c92a3bf925df1 Mon Sep 17 00:00:00 2001
	2	From: Roland Shoemaker <bracewell@google.com>
	3	Date: Thu, 13 Apr 2023 15:40:44 -0700
	4	Subject: [PATCH] html/template: disallow angle brackets in CSS values
	5
	6	Angle brackets should not appear in CSS contexts, as they may affect
	7	token boundaries (such as closing a <style> tag, resulting in
	8	injection). Instead emit filterFailsafe, matching the behavior for other
	9	dangerous characters.
	10
	11	Thanks to Juho Nurminen of Mattermost for reporting this issue.
	12
	13	Fixes #59720
	14	Fixes CVE-2023-24539
	15
	16	Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
	17	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
	18	Reviewed-by: Julie Qiu <julieqiu@google.com>
	19	Run-TryBot: Roland Shoemaker <bracewell@google.com>
	20	Reviewed-by: Damien Neil <dneil@google.com>
	21	Reviewed-on: https://go-review.googlesource.com/c/go/+/491615
	22	Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
	23	Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
	24	Run-TryBot: Carlos Amedee <carlos@golang.org>
	25	TryBot-Result: Gopher Robot <gobot@golang.org>
	26
	27	Upstream-Status: Backport from [https://github.com/golang/go/commit/8673ca81e5340b87709db2d9749c92a3bf925df1]
	28	CVE: CVE-2023-24539
	29	Signed-off-by: Ashish Sharma <asharma@mvista.com>
	30	---
	31	src/html/template/css.go \| 2 +-
	32	src/html/template/css_test.go \| 2 ++
	33	2 files changed, 3 insertions(+), 1 deletion(-)
	34
	35	diff --git a/src/html/template/css.go b/src/html/template/css.go
	36	index 890a0c6b227fe..f650d8b3e843a 100644
	37	--- a/src/html/template/css.go
	38	+++ b/src/html/template/css.go
	39	@@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string {
	40	// inside a string that might embed JavaScript source.
	41	for i, c := range b {
	42	switch c {
	43	- case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}':
	44	+ case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>':
	45	return filterFailsafe
	46	case '-':
	47	// Disallow <!-- or -->.
	48	diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go
	49	index a735638b0314f..2b76256a766e9 100644
	50	--- a/src/html/template/css_test.go
	51	+++ b/src/html/template/css_test.go
	52	@@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) {
	53	{`-exp\000052 ession(alert(1337))`, "ZgotmplZ"},
	54	{`-expre\0000073sion`, "-expre\x073sion"},
	55	{`@import url evil.css`, "ZgotmplZ"},
	56	+ {"<", "ZgotmplZ"},
	57	+ {">", "ZgotmplZ"},
	58	}
	59	for _, test := range tests {
	60	got := cssValueFilter(test.css)